mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-20 04:19:00 +02:00
ossec: split into server & agent; 2.6 -> unstable 2023-08-09
This commit is contained in:
parent
886446e1dc
commit
ca9bcc2e2a
69
pkgs/tools/security/ossec/agent.nix
Normal file
69
pkgs/tools/security/ossec/agent.nix
Normal file
|
@ -0,0 +1,69 @@
|
|||
{ lib, stdenv, fetchFromGitHub, which, pcre2, zlib, ncurses, openssl }:
|
||||
let
|
||||
version = "unstable-2023-08-09";
|
||||
in
|
||||
stdenv.mkDerivation {
|
||||
pname = "ossec-agent";
|
||||
inherit version;
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "ossec";
|
||||
repo = "ossec-hids";
|
||||
rev = "c8a36b0af3d4ee5252855b90236407cbfb996eb2";
|
||||
sha256 = "sha256-AZ8iubyhNHXGR/l+hA61ifNDUoan7AQ42l/uRTt5GmE=";
|
||||
};
|
||||
|
||||
# clear is used during the build process
|
||||
nativeBuildInputs = [ ncurses ];
|
||||
|
||||
buildInputs = [ which pcre2 zlib openssl ];
|
||||
|
||||
# patch to remove root manipulation, install phase which tries to add users to the system, and init phase which tries to modify the system to launch files
|
||||
patches = [ ./no-root.patch ];
|
||||
|
||||
# Workaround build failure on -fno-common toolchains like upstream
|
||||
# gcc-10. Otherwise build fails as:
|
||||
# ld: src/common/mgmt/pint-worker-external.po:(.data.rel.local+0x0): multiple definition of
|
||||
# `PINT_worker_external_impl'; src/common/mgmt/pint-mgmt.po:(.bss+0x20): first defined here
|
||||
env.NIX_CFLAGS_COMPILE = "-fcommon";
|
||||
|
||||
buildPhase = ''
|
||||
mkdir $out
|
||||
export USER_DIR="$out" # just to satisy the script
|
||||
./install.sh <<EOF
|
||||
en
|
||||
|
||||
agent
|
||||
127.0.0.1
|
||||
yes
|
||||
yes
|
||||
yes
|
||||
EOF
|
||||
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
runHook preInstall
|
||||
|
||||
mkdir -p $out/share
|
||||
mv $out/active-response/bin/* $out/bin
|
||||
mv $out/etc $out/share
|
||||
mv $out/queue $out/share
|
||||
mv $out/var $out/share
|
||||
mv $out/agentless $out/share
|
||||
mv $out/.ssh $out/share
|
||||
rm -r $out/active-response
|
||||
rm -r $out/tmp
|
||||
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
description = "Open source host-based instrusion detection system";
|
||||
homepage = "https://www.ossec.net";
|
||||
license = licenses.gpl2;
|
||||
maintainers = with maintainers; [ happysalada ];
|
||||
platforms = platforms.all;
|
||||
};
|
||||
}
|
||||
|
|
@ -1,45 +0,0 @@
|
|||
{ lib, stdenv, fetchurl, which }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "ossec-client";
|
||||
version = "2.6";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://www.ossec.net/files/ossec-hids-${version}.tar.gz";
|
||||
sha256 = "0k1b59wdv9h50gbyy88qw3cnpdm8hv0nrl0znm92h9a11i5b39ip";
|
||||
};
|
||||
|
||||
buildInputs = [ which ];
|
||||
|
||||
patches = [ ./no-root.patch ];
|
||||
|
||||
# Workaround build failure on -fno-common toolchains like upstream
|
||||
# gcc-10. Otherwise build fails as:
|
||||
# ld: src/common/mgmt/pint-worker-external.po:(.data.rel.local+0x0): multiple definition of
|
||||
# `PINT_worker_external_impl'; src/common/mgmt/pint-mgmt.po:(.bss+0x20): first defined here
|
||||
env.NIX_CFLAGS_COMPILE = "-fcommon";
|
||||
|
||||
buildPhase = ''
|
||||
echo "en
|
||||
|
||||
agent
|
||||
$out
|
||||
no
|
||||
127.0.0.1
|
||||
yes
|
||||
yes
|
||||
yes
|
||||
|
||||
|
||||
" | ./install.sh
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
description = "Open source host-based instrusion detection system";
|
||||
homepage = "https://www.ossec.net";
|
||||
license = licenses.gpl2;
|
||||
maintainers = with maintainers; [ ];
|
||||
platforms = platforms.linux;
|
||||
};
|
||||
}
|
||||
|
|
@ -1,7 +1,8 @@
|
|||
diff -Naur ossec-hids-2.6-orig/install.sh ossec-hids-2.6/install.sh
|
||||
--- ossec-hids-2.6-orig/install.sh 2011-07-11 15:36:58.000000000 -0400
|
||||
+++ ossec-hids-2.6/install.sh 2012-07-09 09:58:57.970692818 -0400
|
||||
@@ -119,14 +119,14 @@
|
||||
diff --git a/install.sh b/install.sh
|
||||
index 387bde1a..cb6dcbf2 100755
|
||||
--- a/install.sh
|
||||
+++ b/install.sh
|
||||
@@ -126,14 +126,14 @@ Install()
|
||||
# Generate the /etc/ossec-init.conf
|
||||
VERSION_FILE="./src/VERSION"
|
||||
VERSION=`cat ${VERSION_FILE}`
|
||||
|
@ -12,19 +13,38 @@ diff -Naur ossec-hids-2.6-orig/install.sh ossec-hids-2.6/install.sh
|
|||
- echo "TYPE=\"${INSTYPE}\"" >> ${OSSEC_INIT}
|
||||
- chmod 600 ${OSSEC_INIT}
|
||||
- cp -pr ${OSSEC_INIT} ${INSTALLDIR}${OSSEC_INIT}
|
||||
- chmod 644 ${INSTALLDIR}${OSSEC_INIT}
|
||||
+ echo chmod 700 ${OSSEC_INIT} > /dev/null 2>&1
|
||||
+ echo "DIRECTORY=\"${INSTALLDIR}\"" > ${INSTALLDIR}${OSSEC_INIT}
|
||||
+ echo "VERSION=\"${VERSION}\"" >> ${INSTALLDIR}${OSSEC_INIT}
|
||||
+ echo "DATE=\"`date`\"" >> ${INSTALLDIR}${OSSEC_INIT}
|
||||
+ echo "TYPE=\"${INSTYPE}\"" >> ${INSTALLDIR}${OSSEC_INIT}
|
||||
+ echo chmod 600 ${OSSEC_INIT}
|
||||
+ echo cp -pr ${OSSEC_INIT} ${INSTALLDIR}${OSSEC_INIT}
|
||||
+ echo chmod 644 ${INSTALLDIR}${OSSEC_INIT}
|
||||
- chmod 640 ${INSTALLDIR}${OSSEC_INIT}
|
||||
+ # chmod 700 ${OSSEC_INIT} > /dev/null 2>&1
|
||||
+ # echo "DIRECTORY=\"${INSTALLDIR}\"" > ${OSSEC_INIT}
|
||||
+ # echo "VERSION=\"${VERSION}\"" >> ${OSSEC_INIT}
|
||||
+ # echo "DATE=\"`date`\"" >> ${OSSEC_INIT}
|
||||
+ # echo "TYPE=\"${INSTYPE}\"" >> ${OSSEC_INIT}
|
||||
+ # chmod 600 ${OSSEC_INIT}
|
||||
+ # cp -pr ${OSSEC_INIT} ${INSTALLDIR}${OSSEC_INIT}
|
||||
+ # chmod 640 ${INSTALLDIR}${OSSEC_INIT}
|
||||
|
||||
|
||||
# If update_rules is set, we need to tweak
|
||||
@@ -926,11 +926,6 @@
|
||||
@@ -148,12 +148,12 @@ Install()
|
||||
fi
|
||||
|
||||
# Calling the init script to start ossec hids during boot
|
||||
- if [ "X${update_only}" = "X" ]; then
|
||||
- runInit
|
||||
- if [ $? = 1 ]; then
|
||||
- notmodified="yes"
|
||||
- fi
|
||||
- fi
|
||||
+ # if [ "X${update_only}" = "X" ]; then
|
||||
+ # runInit
|
||||
+ # if [ $? = 1 ]; then
|
||||
+ # notmodified="yes"
|
||||
+ # fi
|
||||
+ # fi
|
||||
|
||||
}
|
||||
|
||||
@@ -965,10 +965,10 @@ main()
|
||||
catError "0x1-location";
|
||||
fi
|
||||
|
||||
|
@ -32,145 +52,246 @@ diff -Naur ossec-hids-2.6-orig/install.sh ossec-hids-2.6/install.sh
|
|||
- if [ ! "X$ME" = "Xroot" ]; then
|
||||
- catError "0x2-beroot";
|
||||
- fi
|
||||
-
|
||||
+ # # Must be root
|
||||
+ # if [ ! "X$ME" = "Xroot" ]; then
|
||||
+ # catError "0x2-beroot";
|
||||
+ # fi
|
||||
|
||||
# Checking dependencies
|
||||
checkDependencies
|
||||
|
||||
diff -Naur ossec-hids-2.6-orig/src/InstallAgent.sh ossec-hids-2.6/src/InstallAgent.sh
|
||||
--- ossec-hids-2.6-orig/src/InstallAgent.sh 2011-07-11 15:36:58.000000000 -0400
|
||||
+++ ossec-hids-2.6/src/InstallAgent.sh 2012-07-09 09:56:12.061870552 -0400
|
||||
@@ -80,7 +80,7 @@
|
||||
diff --git a/src/Makefile b/src/Makefile
|
||||
index 7fc04c0b..0eb27a0a 100644
|
||||
--- a/src/Makefile
|
||||
+++ b/src/Makefile
|
||||
@@ -144,7 +144,7 @@ endif
|
||||
ifeq (${uname_S},AIX)
|
||||
INSTALL_CMD?=./install-shim-aix.ksh -m $(1) -o $(2) -g $(3)
|
||||
else
|
||||
grep "^${USER}" /etc/passwd > /dev/null 2>&1
|
||||
if [ ! $? = 0 ]; then
|
||||
- /usr/sbin/groupadd ${GROUP}
|
||||
+ echo /usr/sbin/groupadd ${GROUP}
|
||||
- INSTALL_CMD?=install -m $(1) -o $(2) -g $(3)
|
||||
+ INSTALL_CMD?=install
|
||||
endif
|
||||
|
||||
# We first check if /sbin/nologin is present. If it is not,
|
||||
# we look for bin/false. If none of them is present, we
|
||||
@@ -93,7 +93,7 @@
|
||||
OSMYSHELL="/bin/false"
|
||||
fi
|
||||
fi
|
||||
- /usr/sbin/useradd -d ${DIR} -s ${OSMYSHELL} -g ${GROUP} ${USER}
|
||||
+ echo /usr/sbin/useradd -d ${DIR} -s ${OSMYSHELL} -g ${GROUP} ${USER}
|
||||
fi
|
||||
fi
|
||||
ifdef DEBUGAD
|
||||
@@ -404,10 +404,10 @@ endif
|
||||
install: install-${TARGET}
|
||||
|
||||
@@ -105,31 +105,31 @@
|
||||
done
|
||||
install-agent: install-common
|
||||
- $(call INSTALL_CMD,0550,root,0) ossec-agentd ${PREFIX}/bin
|
||||
- $(call INSTALL_CMD,0550,root,0) agent-auth ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) ossec-agentd ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) agent-auth ${PREFIX}/bin
|
||||
|
||||
# Default for all directories
|
||||
-chmod -R 550 ${DIR}
|
||||
-chown -R root:${GROUP} ${DIR}
|
||||
+echo chmod -R 550 ${DIR}
|
||||
+echo chown -R root:${GROUP} ${DIR}
|
||||
- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/rids
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/queue/rids
|
||||
|
||||
# To the ossec queue (default for agentd to read)
|
||||
-chown -R ${USER}:${GROUP} ${DIR}/queue/ossec
|
||||
-chmod -R 770 ${DIR}/queue/ossec
|
||||
+echo chown -R ${USER}:${GROUP} ${DIR}/queue/ossec
|
||||
+echo chmod -R 770 ${DIR}/queue/ossec
|
||||
install-local: install-server-generic
|
||||
|
||||
# For the logging user
|
||||
-chown -R ${USER}:${GROUP} ${DIR}/logs
|
||||
-chmod -R 750 ${DIR}/logs
|
||||
-chmod -R 775 ${DIR}/queue/rids
|
||||
-touch ${DIR}/logs/ossec.log
|
||||
-chown ${USER}:${GROUP} ${DIR}/logs/ossec.log
|
||||
-chmod 664 ${DIR}/logs/ossec.log
|
||||
@@ -416,133 +416,126 @@ install-hybrid: install-server-generic
|
||||
install-server: install-server-generic
|
||||
|
||||
install-common: build
|
||||
- ./init/adduser.sh ${OSSEC_USER} ${OSSEC_USER_MAIL} ${OSSEC_USER_REM} ${OSSEC_GROUP} ${PREFIX}
|
||||
- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/
|
||||
- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs
|
||||
- $(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null ${PREFIX}/logs/ossec.log
|
||||
-
|
||||
-chown -R ${USER}:${GROUP} ${DIR}/queue/diff
|
||||
-chmod -R 750 ${DIR}/queue/diff
|
||||
-chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1
|
||||
+echo chown -R ${USER}:${GROUP} ${DIR}/logs
|
||||
+echo chmod -R 750 ${DIR}/logs
|
||||
+echo chmod -R 775 ${DIR}/queue/rids
|
||||
+echo touch ${DIR}/logs/ossec.log
|
||||
+echo chown ${USER}:${GROUP} ${DIR}/logs/ossec.log
|
||||
+echo chmod 664 ${DIR}/logs/ossec.log
|
||||
+
|
||||
+echo chown -R ${USER}:${GROUP} ${DIR}/queue/diff
|
||||
+echo chmod -R 750 ${DIR}/queue/diff
|
||||
+echo chmod 740 ${DIR}/queue/diff/* "> /dev/null 2>&1"
|
||||
- $(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/bin
|
||||
- $(call INSTALL_CMD,0550,root,0) ossec-logcollector ${PREFIX}/bin
|
||||
- $(call INSTALL_CMD,0550,root,0) ossec-syscheckd ${PREFIX}/bin
|
||||
- $(call INSTALL_CMD,0550,root,0) ossec-execd ${PREFIX}/bin
|
||||
- $(call INSTALL_CMD,0550,root,0) manage_agents ${PREFIX}/bin
|
||||
- $(call INSTALL_CMD,0550,root,0) ../contrib/util.sh ${PREFIX}/bin/
|
||||
- $(call INSTALL_CMD,0550,root,0) ${OSSEC_CONTROL_SRC} ${PREFIX}/bin/ossec-control
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) ossec-logcollector ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) ossec-syscheckd ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) ossec-execd ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) manage_agents ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) ../contrib/util.sh ${PREFIX}/bin/
|
||||
+ $(call INSTALL_CMD) ${OSSEC_CONTROL_SRC} ${PREFIX}/bin/ossec-control
|
||||
|
||||
ifeq (${LUA_ENABLE},yes)
|
||||
- $(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/lua
|
||||
- $(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/lua/native
|
||||
- $(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/lua/compiled
|
||||
- $(call INSTALL_CMD,0550,root,0) ${EXTERNAL_LUA}src/ossec-lua ${PREFIX}/bin/
|
||||
- $(call INSTALL_CMD,0550,root,0) ${EXTERNAL_LUA}src/ossec-luac ${PREFIX}/bin/
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/lua
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/lua/native
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/lua/compiled
|
||||
+ $(call INSTALL_CMD) ${EXTERNAL_LUA}src/ossec-lua ${PREFIX}/bin/
|
||||
+ $(call INSTALL_CMD) ${EXTERNAL_LUA}src/ossec-luac ${PREFIX}/bin/
|
||||
endif
|
||||
|
||||
- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/queue
|
||||
- $(call INSTALL_CMD,0770,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/alerts
|
||||
- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/ossec
|
||||
- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/syscheck
|
||||
- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/diff
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/queue
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/queue/alerts
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/queue/ossec
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/queue/syscheck
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/queue/diff
|
||||
|
||||
- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/etc
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/etc
|
||||
ifeq (${INSTALL_LOCALTIME},yes)
|
||||
- $(call INSTALL_CMD,0440,root,${OSSEC_GROUP}) /etc/localtime ${PREFIX}/etc
|
||||
+ $(call INSTALL_CMD) /etc/localtime ${PREFIX}/etc
|
||||
endif
|
||||
ifeq (${INSTALL_RESOLVCONF},yes)
|
||||
- $(call INSTALL_CMD,0440,root,${OSSEC_GROUP}) /etc/resolv.conf ${PREFIX}/etc
|
||||
+ $(call INSTALL_CMD) /etc/resolv.conf ${PREFIX}/etc
|
||||
endif
|
||||
|
||||
# For the etc dir
|
||||
-chmod 550 ${DIR}/etc
|
||||
-chown -R root:${GROUP} ${DIR}/etc
|
||||
+echo chmod 550 ${DIR}/etc
|
||||
+echo chown -R root:${GROUP} ${DIR}/etc
|
||||
- $(call INSTALL_CMD,1550,root,${OSSEC_GROUP}) -d ${PREFIX}/tmp
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/tmp
|
||||
|
||||
ls /etc/localtime > /dev/null 2>&1
|
||||
if [ $? = 0 ]; then
|
||||
@@ -167,25 +167,25 @@
|
||||
cp -pr ../etc/client.keys ${DIR}/etc/ > /dev/null 2>&1
|
||||
cp -pr agentlessd/scripts/* ${DIR}/agentless/
|
||||
ifneq (,$(wildcard /etc/TIMEZONE))
|
||||
- $(call INSTALL_CMD,440,root,${OSSEC_GROUP}) /etc/TIMEZONE ${PREFIX}/etc/
|
||||
+ $(call INSTALL_CMD) /etc/TIMEZONE ${PREFIX}/etc/
|
||||
endif
|
||||
# Solaris Needs some extra files
|
||||
ifeq (${uname_S},SunOS)
|
||||
- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/usr/share/lib/zoneinfo/
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/usr/share/lib/zoneinfo/
|
||||
cp -r /usr/share/lib/zoneinfo/* ${PREFIX}/usr/share/lib/zoneinfo/
|
||||
endif
|
||||
- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) -b ../etc/internal_options.conf ${PREFIX}/etc/
|
||||
+ $(call INSTALL_CMD) -b ../etc/internal_options.conf ${PREFIX}/etc/
|
||||
ifeq (,$(wildcard ${PREFIX}/etc/local_internal_options.conf))
|
||||
- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ../etc/local_internal_options.conf ${PREFIX}/etc/local_internal_options.conf
|
||||
+ $(call INSTALL_CMD) ../etc/local_internal_options.conf ${PREFIX}/etc/local_internal_options.conf
|
||||
endif
|
||||
ifeq (,$(wildcard ${PREFIX}/etc/client.keys))
|
||||
- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) /dev/null ${PREFIX}/etc/client.keys
|
||||
+ $(call INSTALL_CMD) /dev/null ${PREFIX}/etc/client.keys
|
||||
endif
|
||||
ifeq (,$(wildcard ${PREFIX}/etc/ossec.conf))
|
||||
ifneq (,$(wildcard ../etc/ossec.mc))
|
||||
- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ../etc/ossec.mc ${PREFIX}/etc/ossec.conf
|
||||
+ $(call INSTALL_CMD) ../etc/ossec.mc ${PREFIX}/etc/ossec.conf
|
||||
else
|
||||
- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ${OSSEC_CONF_SRC} ${PREFIX}/etc/ossec.conf
|
||||
+ $(call INSTALL_CMD) ${OSSEC_CONF_SRC} ${PREFIX}/etc/ossec.conf
|
||||
endif
|
||||
endif
|
||||
|
||||
-chown root:${GROUP} ${DIR}/etc/internal_options.conf
|
||||
-chown root:${GROUP} ${DIR}/etc/local_internal_options.conf > /dev/null 2>&1
|
||||
-chown root:${GROUP} ${DIR}/etc/client.keys > /dev/null 2>&1
|
||||
-chown root:${GROUP} ${DIR}/agentless/*
|
||||
-chown ${USER}:${GROUP} ${DIR}/.ssh
|
||||
-chown -R root:${GROUP} ${DIR}/etc/shared
|
||||
- $(call INSTALL_CMD,0770,root,${OSSEC_GROUP}) -d ${PREFIX}/etc/shared
|
||||
- $(call INSTALL_CMD,0640,${OSSEC_USER},${OSSEC_GROUP}) rootcheck/db/*.txt ${PREFIX}/etc/shared/
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/etc/shared
|
||||
+ $(call INSTALL_CMD) rootcheck/db/*.txt ${PREFIX}/etc/shared/
|
||||
|
||||
- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/active-response
|
||||
- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/active-response/bin
|
||||
- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/agentless
|
||||
- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) agentlessd/scripts/* ${PREFIX}/agentless/
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/active-response
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/active-response/bin
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/agentless
|
||||
+ $(call INSTALL_CMD) agentlessd/scripts/* ${PREFIX}/agentless/
|
||||
|
||||
- $(call INSTALL_CMD,0700,root,${OSSEC_GROUP}) -d ${PREFIX}/.ssh
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/.ssh
|
||||
|
||||
- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) ../active-response/*.sh ${PREFIX}/active-response/bin/
|
||||
- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) ../active-response/firewalls/*.sh ${PREFIX}/active-response/bin/
|
||||
+ $(call INSTALL_CMD) ../active-response/*.sh ${PREFIX}/active-response/bin/
|
||||
+ $(call INSTALL_CMD) ../active-response/firewalls/*.sh ${PREFIX}/active-response/bin/
|
||||
|
||||
- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/var
|
||||
- $(call INSTALL_CMD,0770,root,${OSSEC_GROUP}) -d ${PREFIX}/var/run
|
||||
-
|
||||
-chmod 550 ${DIR}/etc
|
||||
-chmod 440 ${DIR}/etc/internal_options.conf
|
||||
-chmod 440 ${DIR}/etc/local_internal_options.conf > /dev/null 2>&1
|
||||
-chmod 440 ${DIR}/etc/client.keys > /dev/null 2>&1
|
||||
-chmod -R 770 ${DIR}/etc/shared # ossec must be able to write to it
|
||||
-chmod 550 ${DIR}/agentless/*
|
||||
-chmod 700 ${DIR}/.ssh
|
||||
+echo chown root:${GROUP} ${DIR}/etc/internal_options.conf
|
||||
+echo chown root:${GROUP} ${DIR}/etc/local_internal_options.conf "> /dev/null 2>&1"
|
||||
+echo chown root:${GROUP} ${DIR}/etc/client.keys "> /dev/null 2>&1"
|
||||
+echo chown root:${GROUP} ${DIR}/agentless/*
|
||||
+echo chown ${USER}:${GROUP} ${DIR}/.ssh
|
||||
+echo chown -R root:${GROUP} ${DIR}/etc/shared
|
||||
- ./init/fw-check.sh execute
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/var
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/var/run
|
||||
|
||||
|
||||
|
||||
install-server-generic: install-common
|
||||
- $(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null ${PREFIX}/logs/active-responses.log
|
||||
- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs/archives
|
||||
- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs/alerts
|
||||
- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs/firewall
|
||||
-
|
||||
- $(call INSTALL_CMD,0550,root,0) ossec-agentlessd ${PREFIX}/bin
|
||||
- $(call INSTALL_CMD,0550,root,0) ossec-analysisd ${PREFIX}/bin
|
||||
- $(call INSTALL_CMD,0550,root,0) ossec-monitord ${PREFIX}/bin
|
||||
- $(call INSTALL_CMD,0550,root,0) ossec-reportd ${PREFIX}/bin
|
||||
- $(call INSTALL_CMD,0550,root,0) ossec-maild ${PREFIX}/bin
|
||||
- $(call INSTALL_CMD,0550,root,0) ossec-remoted ${PREFIX}/bin
|
||||
- $(call INSTALL_CMD,0550,root,0) ossec-logtest ${PREFIX}/bin
|
||||
- $(call INSTALL_CMD,0550,root,0) ossec-csyslogd ${PREFIX}/bin
|
||||
- $(call INSTALL_CMD,0550,root,0) ossec-authd ${PREFIX}/bin
|
||||
- $(call INSTALL_CMD,0550,root,0) ossec-dbd ${PREFIX}/bin
|
||||
- $(call INSTALL_CMD,0550,root,0) ossec-makelists ${PREFIX}/bin
|
||||
- $(call INSTALL_CMD,0550,root,0) verify-agent-conf ${PREFIX}/bin/
|
||||
- $(call INSTALL_CMD,0550,root,0) clear_stats ${PREFIX}/bin/
|
||||
- $(call INSTALL_CMD,0550,root,0) list_agents ${PREFIX}/bin/
|
||||
- $(call INSTALL_CMD,0550,root,0) ossec-regex ${PREFIX}/bin/
|
||||
- $(call INSTALL_CMD,0550,root,0) syscheck_update ${PREFIX}/bin/
|
||||
- $(call INSTALL_CMD,0550,root,0) agent_control ${PREFIX}/bin/
|
||||
- $(call INSTALL_CMD,0550,root,0) syscheck_control ${PREFIX}/bin/
|
||||
- $(call INSTALL_CMD,0550,root,0) rootcheck_control ${PREFIX}/bin/
|
||||
-
|
||||
- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/stats
|
||||
- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/rules
|
||||
+ $(call INSTALL_CMD) /dev/null ${PREFIX}/logs/active-responses.log
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/logs/archives
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/logs/alerts
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/logs/firewall
|
||||
+
|
||||
+echo chmod 550 ${DIR}/etc
|
||||
+echo chmod 440 ${DIR}/etc/internal_options.conf
|
||||
+echo chmod 440 ${DIR}/etc/local_internal_options.conf > /dev/null 2>&1
|
||||
+echo chmod 440 ${DIR}/etc/client.keys > /dev/null 2>&1
|
||||
+echo chmod -R 770 ${DIR}/etc/shared # ossec must be able to write to it
|
||||
+echo chmod 550 ${DIR}/agentless/*
|
||||
+echo chmod 700 ${DIR}/.ssh
|
||||
+ $(call INSTALL_CMD) ossec-agentlessd ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) ossec-analysisd ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) ossec-monitord ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) ossec-reportd ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) ossec-maild ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) ossec-remoted ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) ossec-logtest ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) ossec-csyslogd ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) ossec-authd ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) ossec-dbd ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) ossec-makelists ${PREFIX}/bin
|
||||
+ $(call INSTALL_CMD) verify-agent-conf ${PREFIX}/bin/
|
||||
+ $(call INSTALL_CMD) clear_stats ${PREFIX}/bin/
|
||||
+ $(call INSTALL_CMD) list_agents ${PREFIX}/bin/
|
||||
+ $(call INSTALL_CMD) ossec-regex ${PREFIX}/bin/
|
||||
+ $(call INSTALL_CMD) syscheck_update ${PREFIX}/bin/
|
||||
+ $(call INSTALL_CMD) agent_control ${PREFIX}/bin/
|
||||
+ $(call INSTALL_CMD) syscheck_control ${PREFIX}/bin/
|
||||
+ $(call INSTALL_CMD) rootcheck_control ${PREFIX}/bin/
|
||||
+
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/stats
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/rules
|
||||
ifneq (,$(wildcard ${PREFIX}/rules/local_rules.xml))
|
||||
cp ${PREFIX}/rules/local_rules.xml ${PREFIX}/rules/local_rules.xml.installbackup
|
||||
- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) -b ../etc/rules/*.xml ${PREFIX}/rules
|
||||
- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ${PREFIX}/rules/local_rules.xml.installbackup ${PREFIX}/rules/local_rules.xml
|
||||
+ $(call INSTALL_CMD) -b ../etc/rules/*.xml ${PREFIX}/rules
|
||||
+ $(call INSTALL_CMD) ${PREFIX}/rules/local_rules.xml.installbackup ${PREFIX}/rules/local_rules.xml
|
||||
rm ${PREFIX}/rules/local_rules.xml.installbackup
|
||||
else
|
||||
- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) -b ../etc/rules/*.xml ${PREFIX}/rules
|
||||
+ $(call INSTALL_CMD) -b ../etc/rules/*.xml ${PREFIX}/rules
|
||||
endif
|
||||
|
||||
- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/fts
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/queue/fts
|
||||
|
||||
# For the /var/run
|
||||
-chmod 770 ${DIR}/var/run
|
||||
-chown root:${GROUP} ${DIR}/var/run
|
||||
+echo chmod 770 ${DIR}/var/run
|
||||
+echo chown root:${GROUP} ${DIR}/var/run
|
||||
- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/rootcheck
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/queue/rootcheck
|
||||
|
||||
- $(call INSTALL_CMD,0750,${OSSEC_USER_REM},${OSSEC_GROUP}) -d ${PREFIX}/queue/agent-info
|
||||
- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/agentless
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/queue/agent-info
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/queue/agentless
|
||||
|
||||
# Moving the binary files
|
||||
@@ -201,11 +201,11 @@
|
||||
sh ./init/fw-check.sh execute > /dev/null
|
||||
cp -pr ../active-response/*.sh ${DIR}/active-response/bin/
|
||||
cp -pr ../active-response/firewalls/*.sh ${DIR}/active-response/bin/
|
||||
-chmod 755 ${DIR}/active-response/bin/*
|
||||
-chown root:${GROUP} ${DIR}/active-response/bin/*
|
||||
+echo chmod 755 ${DIR}/active-response/bin/*
|
||||
+echo chown root:${GROUP} ${DIR}/active-response/bin/*
|
||||
|
||||
-chown root:${GROUP} ${DIR}/bin/*
|
||||
-chmod 550 ${DIR}/bin/*
|
||||
+echo chown root:${GROUP} ${DIR}/bin/*
|
||||
+echo chmod 550 ${DIR}/bin/*
|
||||
|
||||
|
||||
# Moving the config file
|
||||
@@ -221,8 +221,8 @@
|
||||
else
|
||||
cp -pr ../etc/ossec-agent.conf ${DIR}/etc/ossec.conf
|
||||
fi
|
||||
-chown root:${GROUP} ${DIR}/etc/ossec.conf
|
||||
-chmod 440 ${DIR}/etc/ossec.conf
|
||||
+echo chown root:${GROUP} ${DIR}/etc/ossec.conf
|
||||
+echo chmod 440 ${DIR}/etc/ossec.conf
|
||||
- $(call INSTALL_CMD,0750,${OSSEC_USER_REM},${OSSEC_GROUP}) -d ${PREFIX}/queue/rids
|
||||
+ $(call INSTALL_CMD) -d ${PREFIX}/queue/rids
|
||||
|
||||
- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ../etc/decoder.xml ${PREFIX}/etc/
|
||||
+ $(call INSTALL_CMD) ../etc/decoder.xml ${PREFIX}/etc/
|
||||
|
||||
rm -f ${PREFIX}/etc/shared/merged.mg
|
||||
|
||||
|
|
70
pkgs/tools/security/ossec/server.nix
Normal file
70
pkgs/tools/security/ossec/server.nix
Normal file
|
@ -0,0 +1,70 @@
|
|||
{ lib, stdenv, fetchFromGitHub, which, pcre2, zlib, ncurses, openssl }:
|
||||
let
|
||||
version = "unstable-2023-08-09";
|
||||
in
|
||||
stdenv.mkDerivation {
|
||||
pname = "ossec-server";
|
||||
inherit version;
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "ossec";
|
||||
repo = "ossec-hids";
|
||||
rev = "c8a36b0af3d4ee5252855b90236407cbfb996eb2";
|
||||
sha256 = "sha256-AZ8iubyhNHXGR/l+hA61ifNDUoan7AQ42l/uRTt5GmE=";
|
||||
};
|
||||
|
||||
# clear is used during the build process
|
||||
nativeBuildInputs = [ ncurses ];
|
||||
|
||||
buildInputs = [ which pcre2 zlib openssl ];
|
||||
|
||||
# patch to remove root manipulation, install phase which tries to add users to the system, and init phase which tries to modify the system to launch files
|
||||
patches = [ ./no-root.patch ];
|
||||
|
||||
# Workaround build failure on -fno-common toolchains like upstream
|
||||
# gcc-10. Otherwise build fails as:
|
||||
# ld: src/common/mgmt/pint-worker-external.po:(.data.rel.local+0x0): multiple definition of
|
||||
# `PINT_worker_external_impl'; src/common/mgmt/pint-mgmt.po:(.bss+0x20): first defined here
|
||||
env.NIX_CFLAGS_COMPILE = "-fcommon";
|
||||
|
||||
buildPhase = ''
|
||||
mkdir -p $out/logs
|
||||
export USER_DIR="$out" # just to satisy the script
|
||||
./install.sh <<EOF
|
||||
en
|
||||
|
||||
server
|
||||
n
|
||||
n
|
||||
EOF
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
runHook preInstall
|
||||
|
||||
mkdir -p $out/share
|
||||
mv $out/active-response/bin/* $out/bin
|
||||
mv $out/etc $out/share
|
||||
mv $out/queue $out/share
|
||||
mv $out/var $out/share
|
||||
mv $out/agentless $out/share
|
||||
mv $out/.ssh $out/share
|
||||
mv $out/logs $out/share
|
||||
mv $out/rules $out/share
|
||||
mv $out/stats $out/share
|
||||
rm -r $out/active-response
|
||||
rm -r $out/tmp
|
||||
ls -lah $out
|
||||
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
description = "Open source host-based instrusion detection system";
|
||||
homepage = "https://www.ossec.net";
|
||||
license = licenses.gpl2;
|
||||
maintainers = with maintainers; [ happysalada ];
|
||||
platforms = platforms.all;
|
||||
};
|
||||
}
|
||||
|
|
@ -11773,7 +11773,9 @@ with pkgs;
|
|||
|
||||
osqp = callPackage ../development/libraries/science/math/osqp { };
|
||||
|
||||
ossec = callPackage ../tools/security/ossec { };
|
||||
ossec-agent = callPackage ../tools/security/ossec/agent.nix { };
|
||||
|
||||
ossec-server = callPackage ../tools/security/ossec/server.nix { };
|
||||
|
||||
osslsigncode = callPackage ../development/tools/osslsigncode { };
|
||||
|
||||
|
|
Loading…
Reference in a new issue